Last week AndroidPolice.com highlighted some Apps in the Android Marketplace that had been re-published by hackers with malicious code injected into them, allowing the Apps to discover certain things about the device they were installed on and send the information back to the hacker.
The rogue versions of legitimate Apps were able to report back the “IMEI and IMSI numbers along with product ID, model, partner (provider?), language, country, and userID.”
They reported this discovery to Google who had all the Apps against this publisher pulled within 5 minutes, however the Apps were available long enough to clock up over “50k-200k downloads combined in 4 days”.
Google have today confirmed, via their Mobile Blog, some further details on the attack and the steeps they have performed as a result of it:
1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from firstname.lastname@example.org over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
The remote removal is a nice touch, its possible some users will never be aware that they downloaded a malicious App in the first place, but these are all reactive measure rather than proactive ones.
Those complaining against the tightly enforced publishing rules that the Apple App Store has, against the simple instant publishing of the Android Marketplace need to start rethinking their case now. It was only a matter of time before something like this happened, and the audacity of republishing trojan versions of existing Apps rather than just throwing a virus laden ‘flaslight app’ up highlights this even more.
Google needs to address this urgently, and it remains to be seen what Point 4 above (“We are adding a number of measures to help prevent additional malicious applications using similar exploits”) actually means. Will Google start verifying Apps before they are published? Certainly for those from unknown, untrusted, publishers it would certainly make sense.